From: Victor Julien Date: Tue, 23 Jul 2013 11:23:08 +0000 (+0200) Subject: Add yaml option to disable vlan ids hashing X-Git-Tag: suricata-2.0beta2~487 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=16c3487444adf9b888a499604735c1254a669795;p=thirdparty%2Fsuricata.git Add yaml option to disable vlan ids hashing In some cases using the vlan id(s) in flow hashing is problematic. Cases of broken routers have been reported. So this option allows for disabling the use of vlan id(s) while calculating the flow hash, and in the future other hashes. Vlan tracking for flow is enabled by default. --- diff --git a/src/decode-vlan.c b/src/decode-vlan.c index 7130ed3a0c..11dab31113 100644 --- a/src/decode-vlan.c +++ b/src/decode-vlan.c @@ -77,7 +77,10 @@ void DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, p, pkt, proto, GET_VLAN_PRIORITY(p->vlanh[p->vlan_idx]), GET_VLAN_CFI(p->vlanh[p->vlan_idx]), GET_VLAN_ID(p->vlanh[p->vlan_idx]), len); - p->vlan_id[p->vlan_idx] = (uint16_t)GET_VLAN_ID(p->vlanh[p->vlan_idx]); + /* only store the id for flow hashing if it's not disabled. */ + if (dtv->vlan_disabled == 0) + p->vlan_id[p->vlan_idx] = (uint16_t)GET_VLAN_ID(p->vlanh[p->vlan_idx]); + p->vlan_idx++; switch (proto) { diff --git a/src/decode.c b/src/decode.c index e790f47078..091b1a426c 100644 --- a/src/decode.c +++ b/src/decode.c @@ -432,6 +432,13 @@ DecodeThreadVars *DecodeThreadVarsAlloc() /* initialize UDP app layer code */ AlpProtoFinalize2Thread(&dtv->udp_dp_ctx); + /** set config defaults */ + int vlanbool = 0; + if ((ConfGetBool("vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) { + dtv->vlan_disabled = 1; + } + SCLogDebug("vlan tracking is %s", dtv->vlan_disabled == 0 ? "enabled" : "disabled"); + return dtv; } diff --git a/src/decode.h b/src/decode.h index 3d96df622b..3a31d74250 100644 --- a/src/decode.h +++ b/src/decode.h @@ -547,6 +547,8 @@ typedef struct DecodeThreadVars_ /** Specific context for udp protocol detection (here atm) */ AlpProtoDetectThreadCtx udp_dp_ctx; + int vlan_disabled; + /** stats/counters */ uint16_t counter_pkts; uint16_t counter_pkts_per_sec; diff --git a/suricata.yaml.in b/suricata.yaml.in index dc6be13b96..31afdf3484 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -531,6 +531,13 @@ flow: prealloc: 10000 emergency-recovery: 30 +# This option controls the use of vlan ids in the flow hashing. Normally this +# should be enabled, but in some (broken) setups where both sides of a flow are +# not tagged with the same vlan tag, we can ignore the vlan id's in the flow +# hashing. +vlan: + use-for-tracking: true + # Specific timeouts for flows. Here you can specify the timeouts that the # active flows will wait to transit from the current state to another, on each # protocol. The value of "new" determine the seconds to wait after a hanshake or